Option Split (#84)

Author: imabhichow

src/main/java/software/amazon/encryption/s3/S3AsyncEncryptionClient.java

@@ -41,13 +41,15 @@ public class S3AsyncEncryptionClient implements S3AsyncClient {
     private final S3AsyncClient _wrappedClient;
     private final CryptographicMaterialsManager _cryptoMaterialsManager;
     private final SecureRandom _secureRandom;
+    private final boolean _enableLegacyWrappingAlgorithms;
     private final boolean _enableLegacyUnauthenticatedModes;
     private final boolean _enableDelayedAuthenticationMode;
 
     private S3AsyncEncryptionClient(Builder builder) {
         _wrappedClient = builder._wrappedClient;
         _cryptoMaterialsManager = builder._cryptoMaterialsManager;
         _secureRandom = builder._secureRandom;
+        _enableLegacyWrappingAlgorithms = builder._enableLegacyWrappingAlgorithms;
         _enableLegacyUnauthenticatedModes = builder._enableLegacyUnauthenticatedModes;
         _enableDelayedAuthenticationMode = builder._enableDelayedAuthenticationMode;
     }
@@ -80,6 +82,7 @@ public <T> CompletableFuture<T> getObject(GetObjectRequest getObjectRequest,
         GetEncryptedObjectPipeline pipeline = GetEncryptedObjectPipeline.builder()
                 .s3AsyncClient(_wrappedClient)
                 .cryptoMaterialsManager(_cryptoMaterialsManager)
+                .enableLegacyWrappingAlgorithms(_enableLegacyWrappingAlgorithms)
                 .enableLegacyUnauthenticatedModes(_enableLegacyUnauthenticatedModes)
                 .enableDelayedAuthentication(_enableDelayedAuthenticationMode)
                 .build();
@@ -132,6 +135,7 @@ public static class Builder {
         private SecretKey _aesKey;
         private PartialRsaKeyPair _rsaKeyPair;
         private String _kmsKeyId;
+        private boolean _enableLegacyWrappingAlgorithms = false;
         private boolean _enableLegacyUnauthenticatedModes = false;
         private boolean _enableDelayedAuthenticationMode = false;
         private Provider _cryptoProvider = null;
@@ -220,6 +224,11 @@ private boolean onlyOneNonNull(Object... values) {
             return haveOneNonNull;
         }
 
+        public Builder enableLegacyWrappingAlgorithms(boolean shouldEnableLegacyWrappingAlgorithms) {
+            this._enableLegacyWrappingAlgorithms = shouldEnableLegacyWrappingAlgorithms;
+            return this;
+        }
+
         public Builder enableLegacyUnauthenticatedModes(boolean shouldEnableLegacyUnauthenticatedModes) {
             this._enableLegacyUnauthenticatedModes = shouldEnableLegacyUnauthenticatedModes;
             return this;
@@ -252,19 +261,19 @@ public S3AsyncEncryptionClient build() {
                 if (_aesKey != null) {
                     _keyring = AesKeyring.builder()
                             .wrappingKey(_aesKey)
-                            .enableLegacyUnauthenticatedModes(_enableLegacyUnauthenticatedModes)
+                            .enableLegacyWrappingAlgorithms(_enableLegacyWrappingAlgorithms)
                             .secureRandom(_secureRandom)
                             .build();
                 } else if (_rsaKeyPair != null) {
                     _keyring = RsaKeyring.builder()
                             .wrappingKeyPair(_rsaKeyPair)
-                            .enableLegacyUnauthenticatedModes(_enableLegacyUnauthenticatedModes)
+                            .enableLegacyWrappingAlgorithms(_enableLegacyWrappingAlgorithms)
                             .secureRandom(_secureRandom)
                             .build();
                 } else if (_kmsKeyId != null) {
                     _keyring = KmsKeyring.builder()
                             .wrappingKeyId(_kmsKeyId)
-                            .enableLegacyUnauthenticatedModes(_enableLegacyUnauthenticatedModes)
+                            .enableLegacyWrappingAlgorithms(_enableLegacyWrappingAlgorithms)
                             .secureRandom(_secureRandom)
                             .build();
                 }

src/main/java/software/amazon/encryption/s3/S3EncryptionClient.java

@@ -76,6 +76,7 @@ public class S3EncryptionClient implements S3Client {
     private final S3Client _wrappedClient;
     private final CryptographicMaterialsManager _cryptoMaterialsManager;
     private final SecureRandom _secureRandom;
+    private final boolean _enableLegacyWrappingAlgorithms;
     private final boolean _enableLegacyUnauthenticatedModes;
     private final boolean _enableDelayedAuthenticationMode;
     private final boolean _enableMultipartPutObject;
@@ -85,6 +86,7 @@ private S3EncryptionClient(Builder builder) {
         _wrappedClient = builder._wrappedClient;
         _cryptoMaterialsManager = builder._cryptoMaterialsManager;
         _secureRandom = builder._secureRandom;
+        _enableLegacyWrappingAlgorithms = builder._enableLegacyWrappingAlgorithms;
         _enableLegacyUnauthenticatedModes = builder._enableLegacyUnauthenticatedModes;
         _enableDelayedAuthenticationMode = builder._enableDelayedAuthenticationMode;
         _enableMultipartPutObject = builder._enableMultipartPutObject;
@@ -148,6 +150,7 @@ public <T> T getObject(GetObjectRequest getObjectRequest,
         GetEncryptedObjectPipeline pipeline = GetEncryptedObjectPipeline.builder()
                 .s3Client(_wrappedClient)
                 .cryptoMaterialsManager(_cryptoMaterialsManager)
+                .enableLegacyWrappingAlgorithms(_enableLegacyWrappingAlgorithms)
                 .enableLegacyUnauthenticatedModes(_enableLegacyUnauthenticatedModes)
                 .enableDelayedAuthentication(_enableDelayedAuthenticationMode)
                 .build();
@@ -299,11 +302,12 @@ public static class Builder {
         private SecretKey _aesKey;
         private PartialRsaKeyPair _rsaKeyPair;
         private String _kmsKeyId;
-        private boolean _enableLegacyUnauthenticatedModes = false;
+        private boolean _enableLegacyWrappingAlgorithms = false;
         private boolean _enableDelayedAuthenticationMode = false;
         private boolean _enableMultipartPutObject = false;
         private Provider _cryptoProvider = null;
         private SecureRandom _secureRandom = new SecureRandom();
+        private boolean _enableLegacyUnauthenticatedModes = false;
 
         private Builder() {
         }
@@ -388,6 +392,11 @@ private boolean onlyOneNonNull(Object... values) {
             return haveOneNonNull;
         }
 
+        public Builder enableLegacyWrappingAlgorithms(boolean shouldEnableLegacyWrappingAlgorithms) {
+            this._enableLegacyWrappingAlgorithms = shouldEnableLegacyWrappingAlgorithms;
+            return this;
+        }
+
         public Builder enableLegacyUnauthenticatedModes(boolean shouldEnableLegacyUnauthenticatedModes) {
             this._enableLegacyUnauthenticatedModes = shouldEnableLegacyUnauthenticatedModes;
             return this;
@@ -425,19 +434,19 @@ public S3EncryptionClient build() {
                 if (_aesKey != null) {
                     _keyring = AesKeyring.builder()
                             .wrappingKey(_aesKey)
-                            .enableLegacyUnauthenticatedModes(_enableLegacyUnauthenticatedModes)
+                            .enableLegacyWrappingAlgorithms(_enableLegacyWrappingAlgorithms)
                             .secureRandom(_secureRandom)
                             .build();
                 } else if (_rsaKeyPair != null) {
                     _keyring = RsaKeyring.builder()
                             .wrappingKeyPair(_rsaKeyPair)
-                            .enableLegacyUnauthenticatedModes(_enableLegacyUnauthenticatedModes)
+                            .enableLegacyWrappingAlgorithms(_enableLegacyWrappingAlgorithms)
                             .secureRandom(_secureRandom)
                             .build();
                 } else if (_kmsKeyId != null) {
                     _keyring = KmsKeyring.builder()
                             .wrappingKeyId(_kmsKeyId)
-                            .enableLegacyUnauthenticatedModes(_enableLegacyUnauthenticatedModes)
+                            .enableLegacyWrappingAlgorithms(_enableLegacyWrappingAlgorithms)
                             .secureRandom(_secureRandom)
                             .build();
                 }

src/main/java/software/amazon/encryption/s3/internal/GetEncryptedObjectPipeline.java

@@ -43,6 +43,8 @@ public class GetEncryptedObjectPipeline {
     private final S3Client _s3Client;
     private final S3AsyncClient _s3AsyncClient;
     private final CryptographicMaterialsManager _cryptoMaterialsManager;
+    private final boolean _enableLegacyWrappingAlgorithms;
+
     private final boolean _enableLegacyUnauthenticatedModes;
     private final boolean _enableDelayedAuthentication;
 
@@ -59,6 +61,7 @@ private GetEncryptedObjectPipeline(Builder builder) {
         }
         this._s3AsyncClient = builder._s3AsyncClient;
         this._cryptoMaterialsManager = builder._cryptoMaterialsManager;
+        this._enableLegacyWrappingAlgorithms = builder._enableLegacyWrappingAlgorithms;
         this._enableLegacyUnauthenticatedModes = builder._enableLegacyUnauthenticatedModes;
         this._enableDelayedAuthentication = builder._enableDelayedAuthentication;
     }
@@ -219,6 +222,7 @@ public static class Builder {
         private S3Client _s3Client;
         private S3AsyncClient _s3AsyncClient;
         private CryptographicMaterialsManager _cryptoMaterialsManager;
+        private boolean _enableLegacyWrappingAlgorithms;
         private boolean _enableLegacyUnauthenticatedModes;
         private boolean _enableDelayedAuthentication;
 
@@ -250,6 +254,11 @@ public Builder cryptoMaterialsManager(CryptographicMaterialsManager cryptoMateri
             return this;
         }
 
+        public Builder enableLegacyWrappingAlgorithms(boolean enableLegacyWrappingAlgorithms) {
+            this._enableLegacyWrappingAlgorithms = enableLegacyWrappingAlgorithms;
+            return this;
+        }
+
         public Builder enableLegacyUnauthenticatedModes(boolean enableLegacyUnauthenticatedModes) {
             this._enableLegacyUnauthenticatedModes = enableLegacyUnauthenticatedModes;
             return this;

src/main/java/software/amazon/encryption/s3/materials/S3Keyring.java

@@ -21,12 +21,12 @@ abstract public class S3Keyring implements Keyring {
 
     public static final String KEY_PROVIDER_ID = "S3Keyring";
 
-    private final boolean _enableLegacyUnauthenticatedModes;
+    private final boolean _enableLegacyWrappingAlgorithms;
     private final SecureRandom _secureRandom;
     private final DataKeyGenerator _dataKeyGenerator;
 
     protected S3Keyring(Builder<?,?> builder) {
-        _enableLegacyUnauthenticatedModes = builder._enableLegacyUnauthenticatedModes;
+        _enableLegacyWrappingAlgorithms = builder._enableLegacyWrappingAlgorithms;
         _secureRandom = builder._secureRandom;
         _dataKeyGenerator = builder._dataKeyGenerator;
     }
@@ -88,8 +88,8 @@ public DecryptionMaterials onDecrypt(final DecryptionMaterials materials, List<E
             throw new S3EncryptionClientException("Unknown key wrap: " + keyProviderInfo);
         }
 
-        if (decryptStrategy.isLegacy() && !_enableLegacyUnauthenticatedModes) {
-            throw new S3EncryptionClientException("Enable legacy modes to use legacy key wrap: " + keyProviderInfo);
+        if (decryptStrategy.isLegacy() && !_enableLegacyWrappingAlgorithms) {
+            throw new S3EncryptionClientException("Enable legacy wrapping algorithms to use legacy key wrapping algorithm: " + keyProviderInfo);
         }
 
         try {
@@ -103,7 +103,7 @@ public DecryptionMaterials onDecrypt(final DecryptionMaterials materials, List<E
     abstract protected Map<String,DecryptDataKeyStrategy> decryptStrategies();
 
     abstract public static class Builder<KeyringT extends S3Keyring, BuilderT extends Builder<KeyringT, BuilderT>> {
-        private boolean _enableLegacyUnauthenticatedModes = false;
+        private boolean _enableLegacyWrappingAlgorithms = false;
         private SecureRandom _secureRandom;
         private DataKeyGenerator _dataKeyGenerator = new DefaultDataKeyGenerator();
 
@@ -112,8 +112,8 @@ protected Builder() {}
 
         protected abstract BuilderT builder();
 
-        public BuilderT enableLegacyUnauthenticatedModes(boolean shouldEnableLegacyUnauthenticatedModes) {
-            this._enableLegacyUnauthenticatedModes = shouldEnableLegacyUnauthenticatedModes;
+        public BuilderT enableLegacyWrappingAlgorithms(boolean shouldEnableLegacyWrappingAlgorithms) {
+            this._enableLegacyWrappingAlgorithms = shouldEnableLegacyWrappingAlgorithms;
             return builder();
         }
 

src/test/java/software/amazon/encryption/s3/S3AsyncEncryptionClientTest.java

@@ -33,10 +33,12 @@
 import java.util.ArrayList;
 import java.util.List;
 import java.util.concurrent.CompletableFuture;
+import java.util.concurrent.CompletionException;
 
 import static org.junit.jupiter.api.Assertions.assertDoesNotThrow;
 import static org.junit.jupiter.api.Assertions.assertEquals;
 import static org.junit.jupiter.api.Assertions.assertThrows;
+import static org.junit.jupiter.api.Assertions.assertTrue;
 import static software.amazon.encryption.s3.utils.S3EncryptionClientTestResources.BUCKET;
 import static software.amazon.encryption.s3.utils.S3EncryptionClientTestResources.appendTestSuffix;
 import static software.amazon.encryption.s3.utils.S3EncryptionClientTestResources.deleteObject;
@@ -100,9 +102,9 @@ public void putDefaultGetAsync() {
         final String input = "PutDefaultGetAsync";
 
         v3Client.putObject(builder -> builder
-                        .bucket(BUCKET)
-                        .key(objectKey)
-                        .build(), RequestBody.fromString(input));
+                .bucket(BUCKET)
+                .key(objectKey)
+                .build(), RequestBody.fromString(input));
 
         CompletableFuture<ResponseBytes<GetObjectResponse>> futureGet = v3AsyncClient.getObject(builder -> builder
                 .bucket(BUCKET)
@@ -139,6 +141,7 @@ public void aesCbcV1toV3Async() {
         // V3 Client
         S3AsyncClient v3Client = S3AsyncEncryptionClient.builder()
                 .aesKey(AES_KEY)
+                .enableLegacyWrappingAlgorithms(true)
                 .enableLegacyUnauthenticatedModes(true)
                 .build();
 
@@ -154,6 +157,43 @@ public void aesCbcV1toV3Async() {
         v3Client.close();
     }
 
+    @Test
+    public void failAesCbcV1toV3AsyncWhenDisabled() {
+        final String objectKey = appendTestSuffix("fail-aes-cbc-v1-to-v3-async-when-disabled");
+
+        // V1 Client
+        EncryptionMaterialsProvider materialsProvider =
+                new StaticEncryptionMaterialsProvider(new EncryptionMaterials(AES_KEY));
+        CryptoConfiguration v1CryptoConfig =
+                new CryptoConfiguration();
+        AmazonS3Encryption v1Client = AmazonS3EncryptionClient.encryptionBuilder()
+                .withCryptoConfiguration(v1CryptoConfig)
+                .withEncryptionMaterials(materialsProvider)
+                .build();
+
+        final String input = "0bcdefghijklmnopqrst0BCDEFGHIJKLMNOPQRST";
+
+        v1Client.putObject(BUCKET, objectKey, input);
+
+        // V3 Client
+        S3AsyncClient v3Client = S3AsyncEncryptionClient.builder()
+                .aesKey(AES_KEY)
+                .enableLegacyWrappingAlgorithms(true)
+                .build();
+        try {
+            CompletableFuture<ResponseBytes<GetObjectResponse>> futureResponse = v3Client.getObject(builder -> builder
+                    .bucket(BUCKET)
+                    .key(objectKey), AsyncResponseTransformer.toBytes());
+            futureResponse.join();
+        } catch (CompletionException e) {
+            assertEquals(S3EncryptionClientException.class, e.getCause().getClass());
+        }
+
+        // Cleanup
+        deleteObject(BUCKET, objectKey, v3Client);
+        v3Client.close();
+    }
+
     @Test
     public void AsyncAesGcmV2toV3WithInstructionFile() {
         final String objectKey = appendTestSuffix("async-aes-gcm-v2-to-v3-with-instruction-file");